[clamav-users] False positive, My program is recently Started to be flagged with Win.Dropper.Tinba-9943147-0

Sat Jul 9 10:21:46 UTC 2022

that correlates exactly to where it started happening 👍

It's a pretty cool case converter called AnyCase
https://www.virustotal.com/gui/file/2852bc241913dc07ca13f865f766f0f07596e7d3209bc8caad767ff7f1e39ee9?nocache=1

"... but perhaps the above will allow you to track down what component of
the program is being detected."

I thought about doing that, but I don't know where to start,
it would be great to understand what is happening, and why

Where should I start?

On Sat, Jul 9, 2022 at 12:59 PM Al Varnell via clamav-users <
clamav-users at lists.clamav.net> wrote:

> Hi,
>
> Just FYI, that was added to the ClamAV daily.ldb signature database on Apr
> 9 of this year, which matches your FP reporting effort timeline.
>
> And the signature is:
>
> % sigtool -fWin.Dropper.Tinba-9943147-0|sigtool --decode-sigs
> VIRUS NAME: Win.Dropper.Tinba-9943147-0
> TDB: Engine:51-255,Target:1
> LOGICAL EXPRESSION: 0&1&2&3&4
>  * SUBSIG ID 0
>  +-> OFFSET: ANY
>  +-> SIGMOD: NONE
>  +-> DECODED SUBSIGNATURE:
> !Win32 .EXE.
>  * SUBSIG ID 1
>  +-> OFFSET: ANY
>  +-> SIGMOD: NONE
>  +-> DECODED SUBSIGNATURE:
> .MPRESS1
>  * SUBSIG ID 2
>  +-> OFFSET: ANY
>  +-> SIGMOD: NONE
>  +-> DECODED SUBSIGNATURE:
> .MPRESS2
>  * SUBSIG ID 3
>  +-> OFFSET: ANY
>  +-> SIGMOD: NONE
>  +-> DECODED SUBSIGNATURE:
> G(XPTPjxW
>  * SUBSIG ID 4
>  +-> OFFSET: ANY
>  +-> SIGMOD: NONE
>  +-> DECODED SUBSIGNATURE:
> .)D$H+
>
> You didn't mention the name of your program or where it can be found, so
> I'm unable to check further, but perhaps the above will allow you to track
> down what component of the program is being detected.
>
> I suspect someone from the ClamAV Signature Team will spot this shortly,
> but it is the start of a weekend, so may take a couple of days.
>
> -Al-
>
> On Jul 9, 2022, at 1:10 AM, Yaron Elharar via clamav-users <
> clamav-users at lists.clamav.net> wrote:
>
> Hi Everyone
>
> My program has recently started to be flagged
> with Win.Dropper.Tinba-9943147-0 by ClamAV at Virus Total
>
> File hash
> 2852bc241913dc07ca13f865f766f0f07596e7d3209bc8caad767ff7f1e39ee9
>
>
>
> Powered by *Mailbutler
> <https://www.mailbutler.io/?utm_source=watermark&utm_medium=email&utm_campaign=watermark-variant-primary>* -
> still your inbox, but smarter.
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users at lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/Cisco-Talos/clamav-documentation
>
> https://docs.clamav.net/#mailing-lists-and-chat
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20220709/bb4d241f/attachment.htm>